Re: [fw-wiz] pix and syslog
From: Brian Ford (brford_at_cisco.com)
Date: 05/31/03
- Previous message: Brian Ford: "[fw-wiz] Re: Home Environment Cisco"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Luca Berra <bluca@comedia.it> Date: Sat, 31 May 2003 08:28:18 -0400
Luca,
Newlines? I guess I didn't see enough of your log output to get the
issue? I don't know of any newlines issues.
You are using the relatively new PIX (v6.3) ACL logging feature. You
probably know this already but for everyone else your output means:
>access-list sarca permit tcp any host 4.5.6.7 log 4 interval 600
So this is PIX ACL:
named sarca
that permits TCP
the source address is any (0.0.0.0 0.0.0.0 = any address and any mask)
the destination address is the host 4.5.6.7 only (mask = 255.255.255.255)
you are logging when this ACL gets a hit (that message will have log ID =
106100)
you have assigned that 106100 log message that is generated to Syslog level 4
and you defined the log interval (time between 106100 messages) to 600
seconds (which is the max time)
So based on that log interval you should also be seeing the first hit
(counter starts) and the number of times the 106100 message was generated
in 600 second intervals (just a number but the counter resets before next).
In the output the numbers in parens after the IP addresses is the port
number. The "hit cnt" is the number of times the PIX generated that ACL
and is usually at the end of the log message.
>106100: access-list sarca permitted tcp sarca/1.2.3.4(3796) ->
> inside/4.5.6.7(80) hit-cnt 1 (first hit)
I hope this is working well for you. Be careful. Some folks have turned
ACL logging on for everything (all ACLs) and in that config it does impact
performance.
Liberty for All,
Brian
At 05:15 PM 5/30/2003 -0400, firewall-wizards-request@honor.icsalabs.com wrote:
>Message: 3
>Date: Fri, 30 May 2003 19:22:04 +0200
>From: Luca Berra <bluca@comedia.it>
>To: firewall-wizards@honor.icsalabs.com
>Subject: [fw-wiz] pix and syslog
>
>hello,
>i have a pix version 6.3.1 configured to log via syslog on an HP-UX server.
>I would like to log packets permitted by a particular rule of an
>access-list to see if i can tighten it. so i have
>
>access-list sarca permit tcp any host 4.5.6.7 log 4 interval 600
>
>in the buffer log i see something like
>106100: access-list sarca permitted tcp sarca/1.2.3.4(3796) ->
> inside/4.5.6.7(80) hit-cnt 1 (first hit)
>
>on the syslogserver i see:
>
>..: %PIX-4-106100: access-list usi permitted tcp sarca/1.2.3.4(3796) ->
>
>is there any known issue on newlines and syslog?
>
>regards,
>L.
Brian Ford
Consulting Engineer
Corporate Consulting Engineering, Office of the Chief Technology Officer
Cisco Systems, Inc.
http://www.cisco.com
e-mail: brford@cisco.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Brian Ford: "[fw-wiz] Re: Home Environment Cisco"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
